POST to https://www.googleapis.com/oauth2/v3/tokeninfo intead of GET (#…

…457) To avoid leaking access tokens in logs or traces from the client application.
zquestz · Aug 9, 2024 · 4288914 · 4288914
1 parent 0af26d4
commit 4288914
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/lib/omniauth/strategies/google_oauth2.rb b/lib/omniauth/strategies/google_oauth2.rb
@@ -231,7 +231,7 @@ def token_info(access_token)
         return nil unless access_token
 
         @token_info ||= Hash.new do |h, k|
-          h[k] = client.request(:get, 'https://www.googleapis.com/oauth2/v3/tokeninfo', params: { access_token: access_token }).parsed
+          h[k] = client.request(:post, 'https://www.googleapis.com/oauth2/v3/tokeninfo', body: { access_token: access_token }).parsed
         end
 
         @token_info[access_token]

diff --git a/spec/omniauth/strategies/google_oauth2_spec.rb b/spec/omniauth/strategies/google_oauth2_spec.rb
@@ -384,7 +384,7 @@
       subject.options.client_options[:connection_build] = proc do |builder|
         builder.request :url_encoded
         builder.adapter :test do |stub|
-          stub.get('/oauth2/v3/tokeninfo?access_token=valid_access_token') do
+          stub.post('/oauth2/v3/tokeninfo', 'access_token=valid_access_token') do
             [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(
               aud: '000000000000.apps.googleusercontent.com',
               sub: '123456789',
@@ -781,7 +781,7 @@
       subject.options.client_options[:connection_build] = proc do |builder|
         builder.request :url_encoded
         builder.adapter :test do |stub|
-          stub.get('/oauth2/v3/tokeninfo?access_token=valid_access_token') do
+          stub.post('/oauth2/v3/tokeninfo', 'access_token=valid_access_token') do
             [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(
               aud: '000000000000.apps.googleusercontent.com',
               sub: '123456789',
@@ -792,7 +792,7 @@
               expires_in: 436
             )]
           end
-          stub.get('/oauth2/v3/tokeninfo?access_token=invalid_access_token') do
+          stub.post('/oauth2/v3/tokeninfo', 'access_token=invalid_access_token') do
             [400, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(error_description: 'Invalid Value')]
           end
         end